netfilter: nf_conntrack: add support for "conntrack zones"

[net-next-2.6.git] / net / ipv6 / netfilter / nf_conntrack_l3proto_ipv6.c

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 0956ebabbff2a604d809678074ce6e338c00d501..996c3f41fecd419223107751b4e2d66764820599 100644 (file)
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 #include <net/netfilter/nf_log.h>
 
@@ -191,15 +192,20 @@ out:
 static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
                                                struct sk_buff *skb)
 {
+       u16 zone = NF_CT_DEFAULT_ZONE;
+
+       if (skb->nfct)
+               zone = nf_ct_zone((struct nf_conn *)skb->nfct);
+
 #ifdef CONFIG_BRIDGE_NETFILTER
        if (skb->nf_bridge &&
            skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
-               return IP6_DEFRAG_CONNTRACK_BRIDGE_IN;
+               return IP6_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
 #endif
        if (hooknum == NF_INET_PRE_ROUTING)
-               return IP6_DEFRAG_CONNTRACK_IN;
+               return IP6_DEFRAG_CONNTRACK_IN + zone;
        else
-               return IP6_DEFRAG_CONNTRACK_OUT;
+               return IP6_DEFRAG_CONNTRACK_OUT + zone;
 
 }
 
@@ -212,7 +218,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
        struct sk_buff *reasm;
 
        /* Previously seen (loopback)?  */
-       if (skb->nfct)
+       if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))
                return NF_ACCEPT;
 
        reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));